Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
84 Cards in this Set
- Front
- Back
Substitution cipher |
one character or symbol is changed into another one of the oldest - Caesar cipher (shift 3-rt) other e.g.s Atbash, Playfair, Scytale |
|
multi-alphabet substitution |
Vigenere cipher uses keyword to look up cipher text in a table |
|
transposition ciphers |
message is broken into equal blocks, then each block is scrambled Rail Fence cipher |
|
ROT13 |
algorithm rotates every letter 13 places in the alphabet
|
|
enigma machine |
typewriter that implemented multi-alphabet cipher uses 26 alphabet substitutions |
|
steganography |
uses LSB (least significant bit) to hide messages in a medium Programs- QuickStego , Invisible Secrets used for watermarking |
|
Encrypt filesystem in Linux |
1. login as root and start YaST 2. Choose System>Partitioner 3. yes to prompt. select filesystem and edit 4. select the Encrypt file system check box. Ok |
|
What are the major areas of modern cryptography? |
symmetric cryptography asymmetric cryptography hashing algorithms |
|
symmetric cryptography |
both ends of encrypted message use the same key and algorithms uses a secret/private key uses block or stream cipher fast e.g.s- DES, 3DES, AES, AE256, CAST, RC4, RC5, RC6, Blowfish, Teofish, IDEA, One time pads |
|
DES ( data encryption standard) |
replaced by AES based on 56 bit considered insecure due to small key size |
|
3DES (Triple DES) |
upgrade to DES key length is 168 bits uses 3 56 bit DES keys |
|
AES (advanced encryption standard) |
replaced DES uses Rijndael algorithm used bu govt agencies default key is 128 bits supports 128, 192, 256 bits |
|
AES256 |
uses 256 bits qualifies for US govt top secret classification
|
|
CAST |
developed by Carlisle Adams & Stafford Tavares used in microsoft and IBM products uses 40-128 bit key fast and efficient additional versions- CAST128, CAST256 |
|
Ron's Cipher (RC) |
an encryption family by RSA labs authored by Ron rivest current levels are RC4, RC%, and RC6 uses key size up to 2048 bits |
|
RC4 (ron's cipher 4) |
popular with WEP/WPA encryption streaming cipher using 40-2048 bit keys used in SSL and TLS used in utilities for downloading BitToreents |
|
Blowfish |
invented by Bruce Schneier and team performs 64 bit block cipher (symmetric) fast speeds uses variable length keys from 32-448 bits |
|
Twofish |
similiar to Blowfish works on 128 bit blocks has complex key schedule |
|
IDEA (international data encryption algorithm) |
developed by Swiss consortium uses 128 bit key more secure than DES but similiar concept used in PGP (pretty good privacy) Ascom AG holds the right to market |
|
One-Time Pads |
only truly completely secure cryptographic implementation use a key that is as long as a plaintext message used only once |
|
key exchange |
2 primary approaches: in band key exchange (same channel as encryption), out of band key exchange |
|
forward secrecy |
property of any key exchange system that ensures if 1 key is compromised, subsequent keys will not be compromised. |
|
perfect forward secrecy |
when the key exchange process is unbreakable common approach uses ephemeral keys |
|
asymmetric algortihms |
uses public key to encrypt and private key to decrypt based on number theory the 4 popular ones are: RSA, Diffie-Hellman, ECC,and ElGamal
|
|
RSA |
named after inventors Rivest, shamir, Adleman the de facto standard uses large integers works with both encryption and digital signatures can be used for key exchange |
|
Diffie-Helman |
used primarily to send keys across public networks. used to create symmetric keys between 2 parties does not encrypt nor decrypt |
|
ECC (elliptic curve cryptography) |
similiar to RSA but uses smaller keys uses points on a curve combined with a point at infinity and the difficulty of solving discrete algorithms NSA recommended will be commonly implemented on cell phones soon variations: ECC-DH and ECC-DSA |
|
ElGamal |
use ephemeral key used for single communication session |
|
ephemeral key |
a key that exists for only a single session allows for perfect forward secrecy |
|
Kerckhoff's Principle |
the security of an algorithm should depend only on the secrecy of the key and not the algorithm itself. |
|
Hashing Algorithms |
secure hash algorithm (SHA) message digest algorithm (MD) The RACE integrity Primitives Evaluation Message (RIPEMD) GOST LANMAN NT Lan Manager (NTLM) |
|
hash characteristics |
1. must be 1 way 2. variable length input produces fixed length output 3. algorithm must have few or no collisions ( 2 inputs don't give same output) |
|
rainbow tables |
all possible hashes are computed in advance e.g. OphCrack |
|
salt |
added bits at key locations either before or after hash |
|
key stretching |
strengthening a weak key 2 methods: PBKDF2 (Password-based key derivation function 2) & Bcrypt |
|
quantum cryptography |
originally limited to lab work and secret govt applications basis for QKE (quantum key exchange) |
|
Common code breaking techniques` |
frequency analysis- looks at patterns chosen plaintext related key attack brute force attacks exploiting human error |
|
cryptographic system |
a system, method, or process that is used to provide encryption and decryption |
|
pre-shared key |
when all the clients and access points share the same key |
|
work factor |
an estimate of the amount of time and effort that would be needed to break a system |
|
digital signatures |
sender uses private key to create digital signature receiver uses public key attached to message to decrypt most use a hash to ensure message hasn't been altered receiver compares signature area (message digest) to calculated value |
|
nonrepudiation |
prevents one party from denying actions they carried out |
|
Certificate Authority (CA) |
manage public keys issue certificates verifying validity of a sender's message (nonrepudiation) |
|
key escrow |
keys to encrypt/decrypt in escrow until requested by 3rd party |
|
key recovery agent |
entity that has the ability to recover a key, key components, or plaintext messages |
|
key registration |
the process of providing certificates to users done by a registration authority (RA) |
|
certificate revocation list (CRL) |
a list of certificates a specific CA states should no longer be used. being replaced by OCSP (online certificate status protocol) |
|
types of trust models |
bridge hierarchical hybrid mesh |
|
National Security Agency (NSA) |
responsible for creating codes, breaking codes, and coding systems for the US government.\ chartered in 1952 responsible for obtaining foreign intelligence and supplying to US govt agencies world's largest employer of mathematicians |
|
National Security Agency/Central Security Service (NSA/CSS) |
independently functioning part of the NSA supports all branches of the US military created in the 1970s to standardize and support the DoD |
|
National Institute of Standards and Technology (NIST) |
formerly NBS ( national bureau of standards) develops and supports US govt standards publishes info about known vulnerabilities |
|
RFC ( Request for Comments) |
method to propose a standard originated in 1969 categorized as a standard, best practice, informational, experimental or historic |
|
major associations |
American Bankers Association (ABA) Internet Engineering Task Force (IETF) Internet society (ISOC)- oversees the IETF World Wide Web Consortium (W3C)- sponsors XML International Telecommunications Union (ITU) Institute of Electrical and Electronics Engineers (IEEE)- development of PKC, wireless and networking protocols
|
|
Public Key Infrastructure X.509 (PKIX) |
the working group formed by IETF to develop standards and models for the PKI environment |
|
Public Key Cryptography Standards (PKCS) |
a set of voluntary standards created by RSA and security leaders. there are 15 standards early group members: Apple, microsoft, HP, Lotus, Sun, MIT |
|
X.509 standard |
defines the certificate formats and fields for public keys defines procedures for public key distribution currently on v3 2 basic types: End-entity certificate, CA certificate |
|
X.509 properties |
signature (primary purpose) version serial# signature algorithm id issuer name validity period subject name subject public key info issues unique identifier (v2 and v3) subject unique identifier (v2 and v3) extensions (v3) |
|
cipher suite |
a combination of methods such as authentication, encryption and message authentication code (MAC) algorithm used together e.g TLS and SSL |
|
configure ssl port in windows server 2012 |
1. start> admin tools> IIS manager 2. right click on website and go to Properties 3. select web site tab, enter port # 4. click ok and exit -default port is 443 |
|
certificate management protocol (CMP) |
a messaging protocol used between PKI entities |
|
XML Key Management Specification (XKMS) |
designed to allow XML-based programs access to PKI services. built on CMP |
|
Secure Multipurpose Internet Mail Extensions (S/MIME) |
standard for encrypting email contains signature data assymetric alogorithms for confidentiality uses digital certificates for authentication |
|
Secure Electronic Transaction (SET) |
provides encryption for credit card numbers that can be transmitted over the internet developed by Visa and Mastercard works with an electronic wallet |
|
electronic wallet |
a device that identifies you electronically in the same ways as the cards you carry in your wallet |
|
Pretty Good Privacy (PGP) |
freeware email encryption system used for email security uses both asymmetric and symmetric systems
|
|
GNU Privacy Guard (GPG) |
free alternative to PGP |
|
HTTP Secure (HTTPS) |
port 443 uses SSL used for secure transactions by providing a secure channel |
|
Secure HTTP (S-HTTP) |
HTTP with message security port 80 seldom used creates a secure message provides data integrity and authentication |
|
configure IPSec on windows 7/8 |
1. run perfmon.msc 2. select performance monitor 3. right-click graph, choose Add Counters 4. select IPSec IKEv1 IPv4 and expand options 5. click show description and read comments 6. Click Add--Failed main mode negotiations and failed quick mode negotiations |
|
Federal Information Processing standard (FIPS) |
a set of guidelines for US federal government information systems issued by NIST |
|
Public Key infrastructure (PKI) |
a framework a 2 key, asymmetric system with 4 main components: certificate authority (CA), registration authority (RA), RSA, and digital certificates |
|
certificate policies |
define what certificates do affect how a certificate is issued and how it is used the policy indicates which certificates will be accepted in a given application |
|
cross certification |
the process of requiring interoperability of a certificate |
|
Certificate Practice Statement (CPS) |
a detailed statement the CA uses to issue certificates and implement its policies. discusses how certificates are issued, measures taken to protect certificates, rules that CA users must follow to maintain certificate eligibility |
|
certificate revocation |
the process of revoking a certificate before it expires handled through a CRL (certificate revocation list) or by using OCSP (online certificate status protocol) |
|
PKI trust models |
hierarchical bridge mesh hybrid |
|
hierarchical trust model |
tree allows tight control over certificate-based activities the root CA is at the top and provides all the info then comes the intermediate CA> Leaf CA (the end of the chain/network) |
|
bridge trust model |
a peer-to-peer relationship exists among the root CAs useful for large, geographically dispersed or 2 separate orgs |
|
mesh trust model |
expands on bridge model by supporting multiple paths and root CAs. also known as a web structure useful when several orgs need to cross certify certificates |
|
hybrid trust model |
uses the capabilities of any or all of the other trust models. |
|
hardware based encryption devices |
in the advanced config settings in BIOS you can enable TPM (trusted platform module). as well as HSMs (hardware security module) which are PCI adapters- its a cryptoprocessor that is used to enhance security |
|
TPM (trusted platform module) |
used to assist with hash key generation a chip that can store cryptographic keys/passwords/certificates used to protect mobile devices is sometimes used with BitLocker may be installed on motherboard |
|
BitLocker |
a full disk encryption feature uses 128 bit encryption a.k.a. hard drive encryption |
|
data encryption |
bitlocker bitlocker to go Truecrypt database encryption |